18b37c2c5d30841b549e8064c0c28c50de0499f2b761623a11659d8312b2366b

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Size

380KB
MD5

721fca74f2e8c5cf7b81857b84573a0a
SHA1

1097da9102d0cbd1fb92b51378b3920a8d0741ae
SHA256

18b37c2c5d30841b549e8064c0c28c50de0499f2b761623a11659d8312b2366b
SHA512

454a25f61724b4f4c4b4ae79400efb253ac290782dd6bc436f3f64308db0d2edb00f8ddf274b594b992f8fa27647f2244c38d8c55334ea33c4f729eab84736a8
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}\stubpath = "C:\\Windows\\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe"	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}\stubpath = "C:\\Windows\\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe"	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}	{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6001D4C3-2E32-4151-99B0-8C431194B3AD}	{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}\stubpath = "C:\\Windows\\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe"	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}\stubpath = "C:\\Windows\\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe"	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3770734-8CA4-4410-87CD-BC4CF0154289}	{819950F0-D99E-4573-81AF-78592111636C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}\stubpath = "C:\\Windows\\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe"	{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}\stubpath = "C:\\Windows\\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe"	{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819950F0-D99E-4573-81AF-78592111636C}\stubpath = "C:\\Windows\\{819950F0-D99E-4573-81AF-78592111636C}.exe"	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6001D4C3-2E32-4151-99B0-8C431194B3AD}\stubpath = "C:\\Windows\\{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe"	{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819950F0-D99E-4573-81AF-78592111636C}	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B252A6AE-BE0A-4636-9861-5BED04488BF0}	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B252A6AE-BE0A-4636-9861-5BED04488BF0}\stubpath = "C:\\Windows\\{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe"	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}\stubpath = "C:\\Windows\\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe"	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}	{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3770734-8CA4-4410-87CD-BC4CF0154289}\stubpath = "C:\\Windows\\{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe"	{819950F0-D99E-4573-81AF-78592111636C}.exe

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
2104	{819950F0-D99E-4573-81AF-78592111636C}.exe
2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
1680	{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
2084	{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
2276	{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
1548	{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
File created	C:\Windows\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
File created	C:\Windows\{819950F0-D99E-4573-81AF-78592111636C}.exe	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
File created	C:\Windows\{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	{819950F0-D99E-4573-81AF-78592111636C}.exe
File created	C:\Windows\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
File created	C:\Windows\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe	{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
File created	C:\Windows\{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe	{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
File created	C:\Windows\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe	{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
File created	C:\Windows\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
File created	C:\Windows\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
File created	C:\Windows\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{819950F0-D99E-4573-81AF-78592111636C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
Token: SeIncBasePriorityPrivilege	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
Token: SeIncBasePriorityPrivilege	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
Token: SeIncBasePriorityPrivilege	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
Token: SeIncBasePriorityPrivilege	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe
Token: SeIncBasePriorityPrivilege	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
Token: SeIncBasePriorityPrivilege	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
Token: SeIncBasePriorityPrivilege	1680	{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
Token: SeIncBasePriorityPrivilege	2084	{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
Token: SeIncBasePriorityPrivilege	2276	{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2720	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	31
PID 2308 wrote to memory of 2720	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	31
PID 2308 wrote to memory of 2720	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	31
PID 2308 wrote to memory of 2720	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	31
PID 2308 wrote to memory of 2864	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	32
PID 2308 wrote to memory of 2864	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	32
PID 2308 wrote to memory of 2864	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	32
PID 2308 wrote to memory of 2864	2308	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	32
PID 2720 wrote to memory of 2612	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	33
PID 2720 wrote to memory of 2612	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	33
PID 2720 wrote to memory of 2612	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	33
PID 2720 wrote to memory of 2612	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	33
PID 2720 wrote to memory of 2600	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	34
PID 2720 wrote to memory of 2600	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	34
PID 2720 wrote to memory of 2600	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	34
PID 2720 wrote to memory of 2600	2720	{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe	34
PID 2612 wrote to memory of 2588	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	35
PID 2612 wrote to memory of 2588	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	35
PID 2612 wrote to memory of 2588	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	35
PID 2612 wrote to memory of 2588	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	35
PID 2612 wrote to memory of 2648	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	36
PID 2612 wrote to memory of 2648	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	36
PID 2612 wrote to memory of 2648	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	36
PID 2612 wrote to memory of 2648	2612	{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe	36
PID 2588 wrote to memory of 2136	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	37
PID 2588 wrote to memory of 2136	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	37
PID 2588 wrote to memory of 2136	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	37
PID 2588 wrote to memory of 2136	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	37
PID 2588 wrote to memory of 2772	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	38
PID 2588 wrote to memory of 2772	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	38
PID 2588 wrote to memory of 2772	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	38
PID 2588 wrote to memory of 2772	2588	{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe	38
PID 2136 wrote to memory of 2104	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	39
PID 2136 wrote to memory of 2104	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	39
PID 2136 wrote to memory of 2104	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	39
PID 2136 wrote to memory of 2104	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	39
PID 2136 wrote to memory of 1744	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	40
PID 2136 wrote to memory of 1744	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	40
PID 2136 wrote to memory of 1744	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	40
PID 2136 wrote to memory of 1744	2136	{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe	40
PID 2104 wrote to memory of 2888	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	42
PID 2104 wrote to memory of 2888	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	42
PID 2104 wrote to memory of 2888	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	42
PID 2104 wrote to memory of 2888	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	42
PID 2104 wrote to memory of 840	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	43
PID 2104 wrote to memory of 840	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	43
PID 2104 wrote to memory of 840	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	43
PID 2104 wrote to memory of 840	2104	{819950F0-D99E-4573-81AF-78592111636C}.exe	43
PID 2888 wrote to memory of 2964	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	44
PID 2888 wrote to memory of 2964	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	44
PID 2888 wrote to memory of 2964	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	44
PID 2888 wrote to memory of 2964	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	44
PID 2888 wrote to memory of 1056	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	45
PID 2888 wrote to memory of 1056	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	45
PID 2888 wrote to memory of 1056	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	45
PID 2888 wrote to memory of 1056	2888	{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe	45
PID 2964 wrote to memory of 1680	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	46
PID 2964 wrote to memory of 1680	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	46
PID 2964 wrote to memory of 1680	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	46
PID 2964 wrote to memory of 1680	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	46
PID 2964 wrote to memory of 1708	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	47
PID 2964 wrote to memory of 1708	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	47
PID 2964 wrote to memory of 1708	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	47
PID 2964 wrote to memory of 1708	2964	{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
  C:\Windows\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
    C:\Windows\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
      C:\Windows\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
        
        C:\Windows\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\{819950F0-D99E-4573-81AF-78592111636C}.exe
        
        C:\Windows\{819950F0-D99E-4573-81AF-78592111636C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
        
        C:\Windows\{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
        
        C:\Windows\{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
        
        C:\Windows\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
        
        C:\Windows\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
        
        C:\Windows\{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe
        
        C:\Windows\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6001D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C13AD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{878D8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B252A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3770~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81995~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8BA1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F35C7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F0C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01DFE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01DFE5A0-E6BA-4c6c-88B8-C384E37E4639}.exe

Filesize
380KB

MD5
a37eebdc64174766d231cdb2abba898b

SHA1
fedefc6a3cf63a4b21e0473b05667ae115819189

SHA256
7601802681ab7eebdbfdbe5efb7ef609a4b9af8fbce963ece5c229c3727064af

SHA512
0f9f2863df3e06da6ec2e0ade54255bcbfdc12be79432f6eb34759119c3f1a710593f6bce1cb17db499b4f24e59548db777fb9999ead925a68289b7f5e27bca6

Download Submit
C:\Windows\{6001D4C3-2E32-4151-99B0-8C431194B3AD}.exe

Filesize
380KB

MD5
deb9f088aaf715bea77d6c8edea819a4

SHA1
bb07286ba23d784a7a89fbc0cc466e3b4f85d7bc

SHA256
42e915ddfea6c68ad917eff622e1193b97c425aaaa439d343d7ddc113c0aad64

SHA512
b67f919b33c783eac4008b52d36797d25fcee921a418ff16dbb728e5e6ef81b372d194a1b3f735c03b17d7c1c865b34769e727d10e8110a10fe55a1783f38597

Download Submit
C:\Windows\{819950F0-D99E-4573-81AF-78592111636C}.exe

Filesize
380KB

MD5
6c83db3322127ee717116174cc0cb54e

SHA1
cf6608deae9e72d7d1ce48e19691cf77f3c4ca21

SHA256
bc8d43146ee5d5b5d85fb1e54b9d813e06962b394ecfa95011df97b075d8de62

SHA512
6f5df21fd326eba2c06323ab7b1b57d0db04d7a26ba355ce5f7d9d93e88ad21b73f08a59736243b357774bfbafdc2872dbc392a183832d77e3de974b65fd3082

Download Submit
C:\Windows\{878D8B02-4B01-4061-BE8C-E5CE2CE11738}.exe

Filesize
380KB

MD5
cf328cec21da4c155367d793d64870a6

SHA1
d87c7a94fb0b7ffbdf2dceaa6ad0079b022ae90a

SHA256
6dd8c49f96c9b591cc271799fab5a01faceb11d9777c916631c057a3540e7052

SHA512
a55f28769efc21a8a966c25ab0ff05ec53a42791947c4e030a09c4daa116bfa5b6e0d250363fdf0e47f67baf33e1f9163cbb97af97d166059026b44dd86c9d3a

Download Submit
C:\Windows\{A8BA133A-9A48-45fd-89D4-4173A9C8CF40}.exe

Filesize
380KB

MD5
e7e1b23ea80479720cb2ac14811f5e74

SHA1
f58d4f63d813cec777f16a231b3587744c4a324f

SHA256
0e81044a007e2f2338562f42b86411d5021c821de9dff8423336a0cc781b9f76

SHA512
70e61988855d9393971dbb7a20cca127c6ab9e8e8af3990454b5a6985ed910aec52563c6b9d51772ef738dea7ea511ce3369af3e782f805eae37d9d3a299604c

Download Submit
C:\Windows\{B252A6AE-BE0A-4636-9861-5BED04488BF0}.exe

Filesize
380KB

MD5
101a24aa505bdc5229e5e65e4eb62a9d

SHA1
31e73c2f7cc76ad46eac636da88d5ba8ec22fb3e

SHA256
8f51cd6549c6a92ac03171e5bfc14e1fc2d9eda5e56ea469b0740804ef11bf47

SHA512
49a3714181cd1abec03e906462e9a76b4f0a3576eb3e0fe5fc085d31fc4909e691239ba36309f1ec82c585738af545227c5f3900ad9db0ef4a1e9a0dc3ff9b4b

Download Submit
C:\Windows\{C13AD6CB-B34F-43b0-A738-BB6648EA50BC}.exe

Filesize
380KB

MD5
7ce5410e9826523f644827b93cd00621

SHA1
e7945bb90696a114a0e39e46b4626ef7ba19e4ef

SHA256
36e58f1732edeb1dc8cb15ecbc9d885f1d2c90040fd420afb09fa60e3ca86f09

SHA512
fb558b05ee3937fa3ac084eaa04f6c4d2b0a7406fca106dbccc6f6bd62551071befe39f4ce1f9897da18ec6863c061fd0bd20e924af69297f04221a88f8d3168

Download Submit
C:\Windows\{C3770734-8CA4-4410-87CD-BC4CF0154289}.exe

Filesize
380KB

MD5
58036f53e4243ca927b2c0e1da1cd67a

SHA1
9b87cd4d4c17e11c8d857dbf808133cfb71f3f16

SHA256
c967e55e0ebeeeedaa1586dae6d912065577dc91d57102bad66645affc5b461f

SHA512
faa913c2822323f6738628c3192bb3139648d4d56747c11b31d26ee8b60037153952cf6754b782a548c97e0565980cf59b6cc0d1b08822d66f3966abab6f3e6f

Download Submit
C:\Windows\{C3F0CFB5-C3E7-4045-B27D-850B943457B7}.exe

Filesize
380KB

MD5
1126bd33c9240a6f660eddd6a8cfa88b

SHA1
e9ef3a597c1acc168347e2cc43cbb2a810ae5916

SHA256
082f68dea4901d6f135d334dfedb19db0219f4b5976776c8e3313e9152dd9daa

SHA512
28f4d2e9a48794fdebe852296f5f4806666820b45b7fbad0404b5b345d36d3972c0c188988430aae0de02c7ccb0980f713e0b11e1da6851d924e3849c227e90f

Download Submit
C:\Windows\{D5AE58AA-04C8-4db1-A3F4-D645F8A77503}.exe

Filesize
380KB

MD5
b490d33a14bfc504b701ec35c04161f1

SHA1
7364a9cbba734fa1edfdf14f5502ef057ebe2184

SHA256
a6c48841507dfcd04b1822c0a3c5415ccd672f5219d1f0cf5fe0d87bbf5df0c4

SHA512
a2819d18443f29c8ebbf10351ba61bb0e3d5db7c868c8c52a4e5e8df85b6a9e46aea220daace107470b9d7d219967a634c1b3a5ce22aa31c2113ecf8e6e64b1e

Download Submit
C:\Windows\{F35C7E1F-928D-4ae6-968D-CC4A1AE3C9D8}.exe

Filesize
380KB

MD5
a9fde8fe4a819d4c143068a4190b6e41

SHA1
2f7b2d1e70efe1c4c03649ea3a5a4a1327942ce2

SHA256
6a1754b998a28923d4d01a021a97f7a4955dda0818d08c3f10d4043a3d0dec93

SHA512
6d78c9528038184be7ff3e1b62a24ff8e088b213d0fcc97daa48ad7d6d9a2d9dec4b9f60de96d29d041bf99f47ef0c0da53adcc715efa3c1503547e296859872

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads